I was just noticing the other day that a number of emacs lisp packages I use on a regular basis hadn't had any development work in 5-10 years.
If it works, why change it? The SmallWall project was immune to all of the SSL bugs in the last year because we use an old version that does not have these new and buggy features... Of course, this rating system would ding us for that...
An attacker might e.g. get commit rights to several low-activity projects, insert malicious code, and wait for people to download updates and become easily exploitable.
Their rating system actually encourages this. If you have tight controls on commits, like perhaps 1 or two people who review code and actually make the commits, you are "at risk." So go ahead and give that NSA guy commit access...
Why companies are throwing support behind it rather than LibreSSL is beyond me.
Because it is what they use. Porting has a non-zero cost as well.
What they did is getting a basic overview of which projects need most attention.
No, they have a lit of project that rate in their arbitrary definition of "risk." Have a nice and stable project that is not on the feature of the week train? High risk, because there are not enough updates. How about a hidden development svn, with a public mirror that makes all contributions look like they come from one person? Oh, that is very high risk... By their metrics, "Hello World" is the riskiest program on the planet.
I can name 20 (or 50, or maybe 100) people with far more economic influence in the last 20 years than this douchebag.
Yet somehow you could not type one name here...
What this country needs is a good five dollar plasma weapon.